Jump to content

Explorer.exe Chewing up resources, multiple instances, accessing malicious websites


Recommended Posts

Hello, 

 

I've been struggling with some malware on my windows 7 home premium 64 bit home PC.  About two weeks ago, I noticed something was wrong when the PC got really laggy and the cpu was pegged and RAM was full.  After struggling into task manager, I found some sketchy processes, long story short some nasty .exe files hanging out in AppData that I used safe mode with command prompt to delete (havac.exe among them, if that rings a bell). I have all my files backed up, and have been going at this thing with malwarebytes and microsoft security essentials, as I don't know what else to do. Everything shows up clean now, but I'll get multiple explorer.exe processes running and using all my resources. Malwarebytes also informs me that explorer.exe is trying to access malicious web addresses.  It changes almost every time, and I haven't written any of the addresses down.  Bottom line, there's stuff still here making it hard for me to use my PC, and I don't know how else to attack it.  I've read some about this kind of issue but descriptions and solutions vary so I figured I'd start fresh.  I've also read about the security issues and vulnerability associated with this kind of thing, so I want to get this resolved asap.  

 

Thank-you in advance for all your help.

 

 

Link to post
Share on other sites

Welcome to the forum.

First:

Please run a Quick Scan with Malwarebytes like this and post the log:

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

---------------------

Then please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt (DDS won't run on W8)

(please don't put logs in code or quotes and use the default font)

(Please don't forget to run the RogueKiller scan below)

General Forum P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running, please create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Thanks for the quick reply. I ran the scans you suggested, results below.  Malwarebytes and RogueKiller worked fine, but dds only gave me attach.txt, no DDS.txt, and attach.txt seems to be incomplete compared to other examples I have found. I disabled what I could as suggested (I am using MSE, disabled real-time protection and closed malwarebytes, also turned off windows firewall after disconnecting my network cable), and it still only gives me one file.  I ran dds on a win7 pro 64 bit machine I have at home and it worked perfectly fine, with good looking reports of both titles.  What I have is posted below. Thanks

 

ATTACH.TXT

 

 .

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume3
Install Date: 11/12/2010 1:54:37 Before Noon
System Uptime: 3/1/2014 12:08:06 Before Noon (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | P7H55-M PRO
Processor: Intel® Core i5 CPU         661  @ 3.33GHz | LGA1156 | 3334/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 931 GiB total, 622.919 GiB free.
D: is FIXED (NTFS) - 147 GiB total, 53.743 GiB free.
E: is FIXED (FAT32) - 5 GiB total, 0.658 GiB free.
F: is CDROM (CDFS)
H: is Removable
I: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {678dcf40-e2e6-11d5-8cd5-e960089ea00a}
Description: Saitek Magic Bus
Device ID: ROOT\SAITEK_MAGIC_BUS\0001
Manufacturer: Saitek
Name: Root Enumerator
PNP Device ID: ROOT\SAITEK_MAGIC_BUS\0001
Service: SaiNtBus
.
Class GUID: {678dcf40-e2e6-11d5-8cd5-e960089ea00a}
Description: Saitek Magic Bus
Device ID: ROOT\SAITEK_MAGIC_BUS\0002
Manufacturer: Saitek
Name: Root Enumerator
PNP Device ID: ROOT\SAITEK_MAGIC_BUS\0002
Service: SaiNtBus
.
==== System Restore Points ===================
.
RP832: 1/18/2014 3:32:36 Before Noon - Windows Update
RP833: 1/22/2014 3:32:27 Before Noon - Windows Update
RP834: 1/24/2014 9:49:17 After Noon - Installed Java 7 Update 51
RP835: 1/25/2014 4:54:29 After Noon - Windows Update
RP836: 1/29/2014 4:54:50 After Noon - Windows Update
RP837: 2/2/2014 5:35:06 After Noon - Windows Update
RP838: 2/5/2014 10:45:34 After Noon - Installed Java 7 Update 45 (64-bit)
RP839: 2/6/2014 10:19:30 After Noon - Windows Update
RP840: 2/10/2014 10:19:26 After Noon - Windows Update
RP841: 2/13/2014 3:00:12 Before Noon - Windows Update
RP842: 2/16/2014 3:00:16 Before Noon - Windows Update
RP843: 2/19/2014 3:41:11 Before Noon - Windows Update
RP844: 2/27/2014 2:25:03 Before Noon - Scheduled Checkpoint
RP845: 2/28/2014 6:54:11 After Noon - Windows Update
.
==== Image File Execution Options =============
.
.
==== Installed Programs ======================
.
.
==== End Of File ===========================
 
 
 
MALWAREBYTES LOG
 
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.02.26.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16518
Owner :: OWNER-PC [administrator]
 
Protection: Enabled
 
2/28/2014 11:42:07 After Noon
mbam-log-2014-02-28 (23-42-07).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236452
Time elapsed: 7 minute(s), 28 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
 
ROGUEKILLER REPORT
 
RogueKiller V8.8.10 _x64_ [Feb 28 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 02/28/2014 23:54:45
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\All Users\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
-> D:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND]
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST31000528AS ATA Device +++++
--- User ---
[MBR] 458fe7b9213c82602c762812b7d3bcac
[bSP] 1b119a1dd93e8f23b366d5f434f73f66 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) Maxtor 6Y160P0 ATA Device +++++
--- User ---
[MBR] 42752de480ecd46378871c03dfa056eb
[bSP] 1aad33938f4675cd0e275336065ec374 : Legit.B MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 5322 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 10901520 | Size: 151000 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_02282014_235445.txt >>
 
 
 
 
Link to post
Share on other sites

Lets run some scans:

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    image000q.png

  • Put a checkmark beside loaded modules.

    2012081514h0118.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    19695967.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    67776163.jpg

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    62117367.jpg

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Then............

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Ran these scans as suggested, thank you.  The logs are attached.  TDSS Killer cured one malicious item (it was a rootkit, that makes sense) and ComboFix did it's thing.  I restarted, then enabled windows firewall, security essentials, and malwarebytes before reconnecting my network cable.  There have been no suspicious connections to malicious websites, only one explorer.exe process, and the machine is idling smoothly.  I re-ran DDS, and it appeared to work fine, producing two full logs. Those are attached as well.  Let me know if there is anything else I should check or any more utilities to run.  Now I know where to start when faced with malware. I will certainly  consult this forum again if I have further issues.  Thanks again

 

 

attach 3_2_14.txt

ComboFix.txt

dds 3_2_14.txt

TDSSKiller.3.0.0.25_02.03.2014_14.36.18_log.txt

TDSSKiller.3.0.0.25_02.03.2014_14.38.32_log.txt

Link to post
Share on other sites

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt, place it next to ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.